Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

That is correct. Note that even in your log you have "/adj/imdb2.consumer.homepage/" which is probably the uri of the GET request. So the URL in the get is logged.I believe you would have a log for the initial GET to imdb.com.

How about if you try microsoft as I did? You should see the same initial log there an then a bunch of other logs for the subsequent GETs done to complete the page.

From the logs posted, it appears the GET is being logged, but not the Host header. The Host header is the part of the request that would tell you which site at the logged IP address was accessed.It comes before the GET.

Name-based virtual hosts (in HTTP 1.1) require a Host header in the HTTP request, because many website domains can share the same IP address.

Scott, I'm not aware of a way to log the Host header of an HTTP request using the ASA. Panos' reply to this thread seems more informative to that end, saying that this enhancement request is CSCdt32288 but is not on the roadmap. I would also use this feature if the ASA were not overly burdened by enabling it.

If you absolutely must log the entire HTTP request, you may need to consider a different solution to meet that need. A sniffer with appropriate filters, an HTTP-aware IDS (snort.org), or a web filtering product could all handle this easily.

Well, I spoke too soon. Here's a method to log the entire request, with Host and URI. I found this on the CCIE_Security mailing list archive. Basically, you set up a regex to match the sites you wish to log. I used a simple dot "." to match anything.

Beware -- this logs every HTTP request that the ASA sees. I have no idea how much load this places on an ASA with significant HTTP traffic. As described in the linked mailing list post, you may create more specific regex lists to match specific Hosts and/or URIs, and may take actions other than logging, including blocking/resetting.

I've configured the regex matchall etc this morning and I'm afraid nothing appears in the logs - I'm starting with an ASA config "out of the box" so maybe I'm missing something, though I have enabled logging .....

My syslog server is setup to only receive NOTICE events from the ASA. However, I'm now stuck where Scott was in his original post. It's logging the IP and URI, but isn't showing the actual host. I'm running 8.0(4). Here's what I see in my logs:

Any new news on this issue? I haven't been able to get the ASA (running version 8.2(1)) to log the hostname using any of the techniques above. However, if you look at this cisco.com page, it indicates indirectly that this is meant to work, simply by adding "inspect http" to class inspection_default.

The inspect http command is placed under a
class-map within a policy-map. When enabled with the
service-policy command, http inspection logs Get
requests with syslog message 304001. ASA code 8.0.4.24 or later is required for
syslog message 304001 to show the hostname as part of the URL.

I'm baffled. It is hard to believe this should be so difficult. How else are you supposed to log web usage without 3rd party products or a proxy server?

I've just reread all of the posts in this thread and realised that back at the start the version on our ASA was different; in the meantime one of my colleagues has upgrade the IOS version, and I have not tried url logging since. So, I'll try again and see what the result is.

I finally got around to trying this again and I can confirm that with v8.2(3) and using the regex config from Roderick above my ASA is now logging what appears to be the full urls of sites. I didn't have to do anything with DNS either.